Main Vulnerability Database Vulnerabilities #VU78931

#VU78931 OS Command Injection in Foreman - CVE-2023-0118

Published: August 3, 2023

Vulnerability identifier: #VU78931

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-0118

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Foreman

Software vendor:
Foreman

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing templates . A remote privileged user can bypass safe mode and inject and execute arbitrary OS commands via the Report Templates function by modifying the "template" JSON value in the POST request.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=2159291